Application Security Officer

Job Description

Job Position: Application Security Officer (Offensive Security)

Key Responsibilities

• Conduct in-depth manual security assessments of web, mobile, and API applications (black box / grey box / authenticated testing)
• Perform advanced penetration testing focusing on business logic flaws, authentication/authorization bypass, and vulnerability chaining
• Identify, validate, and exploit vulnerabilities across modern architectures (REST APIs, microservices, cloud-based apps)
• Use both manual techniques and automated tools to discover vulnerabilities beyond standard scanning coverage
• Collaborate with developers and stakeholders to prioritize and remediate security issues effectively
• Prepare high-quality technical reports with clear risk impact and actionable remediation steps
• Support secure development practices and integrate security into SDLC
• Stay current with emerging attack techniques, CVEs, and exploitation trends
• Mentor junior testers and contribute to internal knowledge sharing and methodology improvement

Required Skills

• 2+ years of hands-on experience in application security / penetration testing
• Strong understanding of OWASP Top 10, but also beyond (IDOR, SSRF, deserialization, race conditions, logic flaws, etc.)
• Deep experience with Burp Suite (Pro) including extensions, manual testing workflows, and request manipulation
• Familiarity with tools such as Nmap, Metasploit, ffuf, nuclei, Wireshark, and custom scripts
• Ability to perform manual testing without relying solely on automated scanners
• Proficiency in at least one scripting language (Python preferred) for automation and exploitation
• Good understanding of web technologies (HTTP, sessions, tokens, APIs, JWT, OAuth)
• Basic understanding of cloud security concepts (AWS/Azure/GCP) is a plus
• Strong analytical thinking and ability to break complex systems creatively
• Good communication skills for reporting and client interaction
• Experience with bug bounty platforms ( like HackerOne, Bugcrowd) or real-world vulnerability disclosures is a strong plus